EZCast TV Streaming Dongle Leaves Home Networks Wide Open to Hackers

In a plot point worthy of CSI: Cyber, the EZCast TV streaming device has been found to have a vulnerability that enables hackers to gain access to entire home networks.

EZCast, which has three million users globally, is an HDMI TV streaming dongle that essentially converts a regular TV into a smart TV. An analogue to Google Chromecast (but far less expensive—it goes for just £14.95 in the UK), it allows users to stream (or “cast”) content from a phone or tablet to a TV wirelessly. So, users can dial up a YouTube video on a phone, and stream it to a TV for wide-screen viewing in the living room. It also supports a range of third-party gaming and over-the-top (OTT) video apps, and allows users to easily connect the TV to a PC to transfer videos, photos, music and files.

Sounds great, right? And it is, except for the fact that the EZCast dongle runs on its own Wi-Fi network, which is secured only by an 8-digit numeric password. And that, of course, can be easily cracked.

Security firm Check Point in fact conducted a successful brute-force attack on the device, which allowed researchers to gain full unauthorized access to the user’s network. They were also easily able to use social engineering to gain additional network access, by sending the user a malicious link through messaging services like email, Facebook and Skype.

Once the Wi-Fi network is cracked, attackers can gain easy access into both the device and connected home networks—and once in, they can move around the networks undetected, providing the ability to view confidential information and infect other home devices with malware. The attacks also can be initiated remotely; meaning that hackers can execute malicious code from anywhere.

So, in short, the vulnerabilities leave all information stored on personal networks exposed to possible theft, including tax returns, bank statements, credit cards and other sensitive personal information, making the EZCast device a potentially lucrative attack vector for identity theft for cyber-criminals. It also leaves home PCs and mobile devices open to botnet infections, ransomware attacks and the like.

We reached out to EZCast, which proposed certain configurations of the dongle to increase the its security level: 1. EZCast allows users to change the password for higher security. Similar to the home router, complexity and frequently changing the password enhances the security; 2. Users can configure the dongle to be "via router only," meaning that the only way to access the dongle is though the home router, thus eliminating the EXCast-specific Wi-Fi network hole altogether, placing the device behind the home network's security protection.

A spokesperson also told us that in the next EZCast firmware update, it will change the approach to require longer, more complex passwords.

The situation is yet further evidence of internet of things (IoT) security risks coming to the fore. All too often, connected devices aren’t built with security best practices in mind, despite the fact that they can act as wide portals to consumers’ digital lives.

“This research provides a glimpse of what will be the new normal in 2016 and beyond—cyber-criminals using creative ways to exploit the cracks of a more connected world,” said Oded Vanunu, security research group manager, Check Point, in a blog. “The internet of things trend will continue to grow, and it will be important for consumers and businesses to think about how to protect their smart devices and prepare for the wider adoption of IoT.”